Sun Java Runtime Uploads Usage Data to RedSheriff?

← Back to Stories (view on slashdot.org)

Sun Java Runtime Uploads Usage Data to RedSheriff?

Posted by Hemos on Saturday May 18, 2002 @07:03AM from the any-news-on-this dept.

It appears as if the Sun Java 2 Runtime Environment, version 1.3.1_02 and later, is reporting usage statistics to a company called RedSheriff, presumably on behalf of Sun. This was the Win32 version, but other versions probably have the same "feature". If you load up the Java Console, you see multiple messages like this:

----------- RedSheriff Measurement -----------
Privacy: http://www.redsheriff.com/privacy.htm
Record Sent

I noticed this while setting up the latest version of Compaq Insight Manager 7, which includes JRE 1.3.1_02 (but works with 1.4.0 too). I started examining what was happening using a network sniffer, and could see several http requests to a server under http://imrworldwide.com/, a domain name owned by RedSheriff. The data in the packets included details of the system environment, and I even saw a URL that I had accessed in a previous unrelated browser session. This was a partial capture only, it doesnt happen every time, but Ill keep watching to see what else goes through. If I use the JRE, must Sun know my IP address and what OS Im running, and more? This has also been quietly commented on in Sun's Java Forums too. I'm currently digging for a way around this - any ideas, besides a firewall?"

52 comments

Min score:

Reason:

Sort:

What can you do? by kingosric · 2002-05-18 07:09 · Score: 2, Interesting

Send back fake results to screw up their data....
Edit. by QuodEratDemonstratum · 2002-05-18 07:11 · Score: 3, Interesting

If you haven't got a firewall, edit the binary and alter the URL the messages are sent to. "http:www.sun.com/abuse" should send the point when they look in their server logs.
add imrworldwide.com to your hosts file by tswinzig · 2002-05-18 07:13 · Score: 3, Informative

In W2K/XP, look in winnt\system32\drivers\etc for a file called hosts. Add this line:

imrworldwide.com 127.0.0.1

Save. Reboot. (Or kill the java/browser processes and restart them.)

--

"And like that ... he's gone."
1. Re:add imrworldwide.com to your hosts file by Anonymous Coward · 2002-05-18 07:17 · Score: 0
  
  That will make the Java runtime slow(er) though because all requests have to time out (unless you're running a webserver).
2. Re:add imrworldwide.com to your hosts file by tswinzig · 2002-05-18 07:25 · Score: 2
  
  imrworldwide.com 127.0.0.1
  
  Whoops, I reversed it, use this instead:
  
  127.0.0.1 imrworldwide.com
  
  --
  
  "And like that ... he's gone."
3. Re:add imrworldwide.com to your hosts file by tswinzig · 2002-05-18 07:28 · Score: 2
  
  That will make the Java runtime slow(er) though because all requests have to time out (unless you're running a webserver).
  
  Errr no. Java is multi-threaded. Obviously they must be doing this in another thread, or every time someone uses this thing behind a firewall or off a network, it would block. I don't think so.
  
  --
  
  "And like that ... he's gone."
4. Re:add imrworldwide.com to your hosts file by Anonymous Coward · 2002-05-18 07:30 · Score: 0
  
  So use this IP instead: 64.124.140.181 (sun.com).
5. Re:add imrworldwide.com to your hosts file by reynaert · 2002-05-18 07:36 · Score: 1
  
  Huh? 127.0.0.1 is your own system. If you're running a webserver, the runtime will get a 404 error. Otherwise it will immediately get a "can't connect" error. It won't ever need to time out.
Great idea, and here's how. by Futurepower(R) · 2002-05-18 07:36 · Score: 1

Good idea. Use WinHex Binary Editor to edit the file. It has a search facility.
What about other OS? by rutherford · 2002-05-18 07:38 · Score: 1

Can this behaviour be confirmed with other OS, like GNU/Linux or Solaris implementations from Sun?
And what about ports which based on the Sun source like Blackdown?

I think this is really bad and if it's true it shouldn't be only mentioned here on the developer page. Java users are also affected! So if this is really true and sends data like visited URL's everyone has to know it!
Perhaps it would be better to use and support free Java implementations like Kaffe than this.
1. Re:What about other OS? by keesh · 2002-05-18 09:10 · Score: 1, Flamebait
  
  What is this GNU/Linux of which you speak?
  
  GNU/Hmmmm... GNU/Better GNU/post GNU/anonymously... GNU/Ach, GNU/why GNU/bother? GNU/It's GNU/only RMS/Karma.
Sneakiness destroys a relationship. by Futurepower(R) · 2002-05-18 07:42 · Score: 1

When I discover that a person or a company has been sneaky, their reputation with me falls to zero. When I know someone has done one thing that is sneaky, it is very difficult or impossible to know if they are doing other things that are sneaky. It is difficult to put upper or lower bounds on their abusiveness. So, I end the relationship, or limit it as much as possible.

Is Sun's sneakiness worth the enormous negative publicity of being featured as a sneak on Slashdot? It's difficult to imagine that it could be.

Is Sun having financial problems, so that the company needs to scrape for nickels and dimes?
1. Re:Sneakiness destroys a relationship. by fantastic · 2002-05-18 10:06 · Score: 2, Informative
  
  Sounds like Sun could prove a case of malicious falsehood here
  
  The information is not correct and is known to be not correct and is damaging to Suns reputation
2. Re:Sneakiness destroys a relationship. by Anonymous Coward · 2002-05-19 07:53 · Score: 0
  
  Umm... Sun is not doing this. The guy has a trojan from some other source, most likely Likewire or Kazaa or something. But you can go on and on about how evil Sun is, if you like. It's a tradition on /. to jump to incorrect conclusions.
limewire by dario_moreno · 2002-05-18 07:51 · Score: 1

Then "they" see how much I am using
Limewire...I hope they do not report
TCP/IP connection statistics also !

--
Google passes Turing test : see my journal
Worst company name... ever by Anonymous+CowboyNeal · 2002-05-18 07:56 · Score: 1

RedSheriff is the worst company name I've ever heard. What the fuck? Anyone have any other examples which might knock this fucker off the top of the hill in terms of really dumb names?
1. Re:Worst company name... ever by RGRistroph · 2002-05-18 08:47 · Score: 1
  
  Can't beat the name off hand . . .
  But this business advertises itself as being "on the foreskin of technology."
2. Re:Worst company name... ever by Anonymous Coward · 2002-05-19 23:31 · Score: 0
  
  Yes... Micro-Soft
  
  I dunno about them, but I'm Mega-Hard
3. Re:Worst company name... ever by peterprior · 2002-05-21 06:29 · Score: 1
  
  I used to use an isp called "RedHotAnt" in the UK..
  
  The went horibly bust after about 6 months or so, when trading standards went to their "headquarters" and seized half their equipment.
Nothing found by Ivan+the+Terrible · 2002-05-18 08:07 · Score: 5, Informative

There's nothing in the sources (as distributed) to validate this claim.
$ find /usr/local/src/jdk1_3-src -type d $ -name RCS -o -name CVS -o -name SCCS $ -prune -o -type f \! -name \*\~ \! -name \*\,v \! -name s.\* -print0 | xargs -0 -e grep -n -e imrworldwide\|redsheriff\|RedSheriff /dev/nu ll $
1. Re:Nothing found by Anonymous Coward · 2002-05-18 08:15 · Score: 0
  
  Try the IP address.
2. Re:Nothing found by r6144 · 2002-05-25 14:02 · Score: 1
  
  Maybe because it is 1.3 or something like that, not 1.3.1_02.
It's not part of the Java runtime by Anonymous Coward · 2002-05-18 08:16 · Score: 1, Informative

Redsheriff is a spyware applet as a quick search at
google would reveal. It's not part of the Java runtime.
This is absolutely not part of the Java Runtime by lurp · 2002-05-18 08:54 · Score: 5, Informative

RedSheriff is definitely not a part of the Java Runtime. It is an applet that various web sites use to track usage statistics. A quick read of their privacy policy, a google search, or even a quick look at a security newsgroup would have told you that.
Don't slashdot editors check these stories before posting them?
1. Re:This is absolutely not part of the Java Runtime by Evro · 2002-05-18 09:07 · Score: 1
  
  Don't slashdot editors check these stories before posting them?
  
  Nope
  
  --
  rooooar
2. Re:This is absolutely not part of the Java Runtime by alanjstr · 2002-05-18 10:51 · Score: 1
  
  If you've been reading Slashdot, you should know better than to ask that question. They don't validate links and they don't know how to spell. And no, they don't check to see if a story is true.
  
  You're basically saying that guy has been trojan'd.
3. Re:This is absolutely not part of the Java Runtime by Anonymous Coward · 2002-05-18 12:24 · Score: 2, Informative
  
  No update to the story headline yet - the editor deserves flogging.
4. Re:This is absolutely not part of the Java Runtime by Yarn · 2002-05-18 21:51 · Score: 2
  
  If I were one of Sun's legal team I'd be sending legal flames as if it were going out of fashion ;)
  
  I'm sorry, but I really think Slashdot needs a slap to get its house in order.
  
  *thinks* maybe I need to have my coffee, I am a bit grumpy *thinks*
  
  --
  -Yarn - Rio Karma: Excellent
mod parent up by HaiLHaiL · 2002-05-18 09:17 · Score: 1

for his resourcefullness and expert cli usage :-)

--

reech bee-yond ur clip-0n
Fucking do *some* verification before posting by gaj · 2002-05-18 09:22 · Score: 5, Informative

redsherrif is a spyware applet, not part of the J2SDK.
A two fucking second search on google would have given you that much info. For the record, running strings on all the bins and libs in the j2sdk1.4 showed neither imrworldwide nor redsherrif.
I know this is hard stuff, using google an all, so click here to save yourself the trouble.
1. Re:Fucking do *some* verification before posting by Anonymous Coward · 2002-05-18 10:49 · Score: 0
  
  Gee, thanks for posting the link with the spelling error in it. How about this one instead?
2. Re:Fucking do *some* verification before posting by gaj · 2002-05-18 13:00 · Score: 1
  
  Quitcherbitchin.
  Google shows the same damn results for yours vs. mine. What bloody difference does it make?
3. Re:Fucking do *some* verification before posting by Anonymous Coward · 2002-05-18 13:01 · Score: 2, Funny
  
  Yup, it's a spyware applet and I posted this story almost a month ago when I discovered that the news section of the BBC where using it to track usage.
  A quick visit to the site suggests that they have stopped now. A visit to the redsheriff website is amusing; the 'business speak' is impressive - I would offer a link but I don't think the fish can translate from marketing b*llsh*t :)
  They ignored my story and then published somebody else's badly researched version.... bah... editors.... grrr... slashdot.. paaa... Rob
4. Re:Fucking do *some* verification before posting by josepha48 · 2002-05-19 07:09 · Score: 2
  
  This is good to know. It means that the person visited a site that had this installed and loaded it on their site. The best thing to do after this happens is to shut down your browser, manually clear your browser cache then, restart your browser.
  Of course for added bonuses you could add a line in your host file that would redirect traffic to these sites to your local host. If you did this though and are not running a service on this port AND DON'T have a firewall, you may have to wait for the browser to timeout the connect to this site.
  If you do start a service on that port (probably port 80) to answer the requests it would prevent the browser time outs. I'm sure a simple perl server on port 80 would handle the request and drop it to the floor.
  Of course you have to realize that the person who reported this is a windows user user so they needed this dumbed down for them. A UNIX user would have searched the web first and gotton some info on this first.
  
  --
  Only 'flamers' flame!
5. Re:Fucking do *some* verification before posting by Furry+Ice · 2002-05-19 19:00 · Score: 1
  
  Try connecting to a port that you know doesn't have a listener on it sometime. There is no timeout. An RST is sent in response to your SYN, giving an immediate "connection refused" error message:
  
  [phiggins@court ~]$ telnet localhost 1
  Trying 127.0.0.1...
  telnet: Unable to connect to remote host: Connection refused
Blocking access by Anonymous Coward · 2002-05-18 10:02 · Score: 0

#Block RedSherrif/imrworldwide.com spyware applet
iptables -I INPUT -s 203.166.18.0/24 -j DROP
iptables -I OUTPUT -d 203.166.18.0/24 -j DROP
a new low... or a conspiracy? by soulfuct · 2002-05-18 18:08 · Score: 1

This sets a new low in editorial standards for Slashdot. It was bad enough when RobLimo blatantly sucked up to Microsoft, turning a blind eye to obvious bullshit, as noted here: Re:"Not weasely?" posted on Thursday April 05, @10:14AM (Score:1) attached to Windows Exec Doug Miller Responds. Now, Hemos is spreading lies and FUD that bring Slashdot down to the level of tabloid non-editors. Please go out of business soon, or be sell out to Microsoft soon and in the open, so that your damage to the industry will be limited.
Probably encrypted. by Futurepower(R) · 2002-05-18 20:58 · Score: 2

If the story is true: It wouldn't take an intelligent person to encrypt or obfuscate the information in such a way that a string search would not find anything.
False claim by aled · 2002-05-19 04:35 · Score: 1

This seems a false claim to me, a careless acusation or flaming. You have only to download the sources for Java and check yourself because Sun Java is open sourced. Check also the previous posts and is obvious that a five minute search would have cleared all doubts: Java is not guilty.

--

"I think this line is mostly filler"
"Microsoft"-ing yourself by polrtex · 2002-05-19 07:57 · Score: 1

Yeah, I didn't think Sun would screw up with such a dumb "Microsoft" type of blunder.. This looked like a post from April 1 :-) A little too late...
I accept that he has a trojan. by Futurepower(R) · 2002-05-19 09:18 · Score: 2

I accept that he has a trojan. I accept that Sun may not be the source of the trojan.

The principles stand, however. The principles do apply to all the big companies that actually have abused our trust this month, such as Microsoft (with Hotmail) and last month, such as Yahoo (with Yahoo mail).

Also, I note that no one who has commented has actually run the same test. I presume you are only guessing.
Responses from Poster by stereoroid · 2002-05-19 19:57 · Score: 3, Interesting
1. You think I didn't check this first? Why did I see this behaviour on 2 different systems, starting with the installation of a new Sun JRE?
2. Yes, I used a search engine, and found the same Trojan data. Yes, it's a Trojan, but who put it on my system? From the evidence, it appears that this is being done on Sun's behalf. I know it might not have come from Sun, but this behaviour started with a new JRE, and we don't go surfing the Net on a working server console.
3. By "short of a firewall", I should have said "another firewall". I don't have the privileges to modify a corporate firewall (it's a very big company). Thanks for the reminder about modifying the hosts file - last resort, I guess.
4. You assume that because I am using some Win32 systems here at work, that I am a Windoze Luser, and can thus be dismissed with a few careless swearwords. I'm not interested in getting into a pi$$ing contest with anyone, I'll just say that I know that nothing sucks like M$, yet I can deal with them and their products professionally. And you wonder why we're not all using Linux yet, with such lame attitudes?
None of the above comments go any way towards answering my question. l33t nerds - who needs 'em?
--
(this is not a .sig)
1. Re:Responses from Poster by Kwil · 2002-05-19 21:04 · Score: 1
  
  Could it be bundled with the Compaq Insight Manager 7 that you were installing? I know HP at least likes to put a sh'load of monitoring and reporting software into their installs.
  
  ie, did you try getting the JDK straight from Sun?
  
  --
  That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze
2. Re:Responses from Poster by stereoroid · 2002-05-19 23:03 · Score: 2
  
  It wouldn't surprise me if Compaq, did that stuff. According to the product roadmaps, Insight Manager is heading for the grave anyway, to be replaced by HP OpenView family products.
  The JRE did come straight from Sun - the CIM console sends you straight there...
  Thanks for a civil response..!
  
  --
  (this is not a .sig)
3. Re:Responses from Poster by scrytch · 2002-05-20 05:12 · Score: 3, Interesting
  
  I was going to address your points individually, but frankly I think you've written everyone off already. I hope you're putting up an anti-Sun page right now, excoriating them for their spyware, and calling for a class-action suit or something. Would serve you right when you end up with egg on your face.
  
  None of the above comments go any way towards answering my question.
  
  What question? You started with an accusation. Your accusation was demolished. You weren't told what you want to hear, so you're throwing a tantrum. By all means, do pick up your ball and go home.
  
  --
  I've finally had it: until slashdot gets article moderation, I am not coming back.
Weird, just ask by KinkyClown · 2002-05-19 20:36 · Score: 1

I don't get it. If they do this simply to measure the amount of people that actually use the software instead of just downloading, why not simple ask? I normally do not like surveys but if I can contribute in any way to the downfall of Microsoft I will :)
How to stop Sun JRE from thieving by Anonymous Coward · 2002-05-22 09:43 · Score: 0

For Windows, download Sygate prersonal firewall, it's absolutely free: http://www.tucows.com/preview/213160.html. In the advanced rule section Rule Summary: This rule will block both incoming and outgoing traffic from/to IP address(es) 203.166.18.221 on all ports and protocols. This rule will be applied to all network interface cards. This traffic will be recorded in the 'Packet Log'.
Slashdot, please do the right thing... by L3WKW4RM · 2002-05-22 20:24 · Score: 1

Update this story so as not to confuse anyone else. Is it that much egg on the face to admit when you're wrong?
It Is A Trojan by Grail · 2002-05-22 21:52 · Score: 1

There is no "testing" required. Just look at the HTML source for the website http://www.telstra.com/

Now grep for "Red Sheriff".

There's a piece of HTML that tries several methods to get your browser to report your browsing habits to IMR Worldwide.

Nothing at all to do with Sun's JRE or JDK. Everything to do with Telstra thinking they're bigger than their boots.
What are the limits of web site visitor tracking? by Futurepower(R) · 2002-05-23 00:38 · Score: 2

I did as you said.

I turned off JavaScript and Java in Opera's File/Preferences/Multimedia menu. I selected "Throw away new cookies on exit" in Opera's Privacy Preferences.

Then I went to the Telstra home page and downloaded the source. (Wow, The Telstra home page is ugly.)

In the source I found mention of a RedSheriff JavaScript file, http://telstra.imrworldwide.com/a1.js. I downloaded that. (You can download the file by just right-clicking on the link and selecting "Save target as".)

Then I downloaded another RedSheriff Java program that I found mentioned in the Telstra home page source, http://server-au.imrworldwide.com/Measure.class.

Embedded within this binary is RedSheriff's Privacy policy web page address: http://www.redsheriff.com/privacy.htm.

Basically it seems that RedSheriff is carrying visitor tracking to the limits, including tracking unsuspecting novices who may give them personal information.

Looking at the code, I don't see any attempt to go beyond the boundaries of what the JavaScript and Java languages allow. However, I'm not knowledgeable enough to see everything the code is doing. Can someone help with this?
Rejected Slashdot story submission by Futurepower(R) · 2002-05-23 06:31 · Score: 2

Subject: What are the limits of web site visitor tracking?

There is a very interesting story in this, but the Slashdot editors didn't think so.

RedSheriff tracks visits to web sites, and claims to be "the world's largest interactive media business intelligence specialist". RedSheriff claims "incomparable accuracy" using "superior patented technology" that "records user activity at the source, giving clients unprecedented access to data that accurately describes user behaviors". This raises a question: How much can they know about you?

To investigate RedSheriff claims, I visited the web sites of two of RedSheriff's clients, Telstra and Virgin Direct's Virgin Money.

(I prepared by turning off JavaScript and Java in Opera's File/Preferences/Multimedia menu, and selecting "Throw away new cookies on exit" in Opera's Privacy Preferences.)

I went to the Telstra home page and downloaded the HTML source. (Wow, the Telstra home page is ugly.) In the source I found mention of a RedSheriff JavaScript file, http://telstra.imrworldwide.com/a1.js. I downloaded that. (Save the effort of re-configuring your browser by just right-clicking on the link and selecting "Save target as".) Virgin Money's site has a different RedSheriff Javascript file, http://server-uk.imrworldwide.com/a3.js. Do a search for "Red Sheriff", with a space.

Then I downloaded a RedSheriff Java program that I found mentioned in the Telstra and Virgin Money home page sources, http://server-au.imrworldwide.com/Measure.class. Embedded within this binary is RedSheriff's privacy policy web page address: http://www.redsheriff.com/privacy.htm. ("RedSheriff Cares about Your Privacy", it says, humorously trying to have it both ways in the same web site.)

Basically it seems that RedSheriff is carrying visitor tracking to the limits, including tracking unsuspecting novices who may foolishly but voluntarily give them personal information. Looking at the code, I don't see any attempt to go beyond the narrow boundaries of what the JavaScript and Java languages allow. However, I'm not sure I see everything the code is doing. Can someone help with this? What are the limits?

Slashdot had a story about RedSheriff, Sun Java Runtime Uploads Usage Data to RedSheriff? Judging from the comments, there is some doubt about who is RedSheriff's client in that situation. The story submitter defended his information, and no one seems to have done a verifying test. (It would be easy to hide encrypted references to RedSheriff sites within binary. It would be easy include something in the binary that was not in the freely distributed source.) Note that the first part of one of the RedSheriff Javascript URLs above contains the name of the client, Telstra.
Re:What are the limits of web site visitor trackin by Grail · 2002-05-27 23:45 · Score: 1

It's what the code is doing that's the problem - not how it's doing it. There's nothing "bad" about the code as far as exploits is concerned.

The problem is that the code is loaded by a site (eg: Telstra) without the user being warned that this reporting is happening. From what I could see when it was working, the reporting doesn't stop when you leave the Telstra site - they're recording everywhere you go.

What a way to gather a pr0n database ;)